Security Risk Analysis and MU Attestation

Security Risk Analysis (SRA) and Meaningful Use Attestation

November 06, 2014

Unlike other measures which asks for numerator / denominator count or polar responses (Yes / No) during meaningful use attestation, the measure “Protect Electronic health information” demands the healthcare provider to conduct or review the SRA (Security Risk Analysis) in accordance with 45 CFR 164.308(a)(1) [security management process standard].

The EHR stores enormous amount of Patient Health Information (PHI) and is being transmitted to providers/patients electronically (ePHI), which leads to a threat of getting accessed by a third person illegally. To protect the ePHI to the most, privacy and security are inevitable things to make sure the protected records are in safe hand always.

Once security policies are in place, it doesn’t mean there are no more actions required to be cared. Day by day the loop holes and new bugs are getting introduced which makes it mandatory to review the security policies in place and if needed necessary loop holes and bugs need to be fixed / updated.

Security Risk analysis deals with comparing the present security measures with the legal standards and policies announced by HIPAA so that provider would come to know where his/her EHR stands in safe guarding patient health information (ePHI). Also SRA provides the opportunity to identify the high risk areas and there by mitigation plan with action could be taken place.

Basic Security and Privacy Threats:

Threats / risks could be of any form. Some of them are,

  • Inappropriate or unauthorized access to Patient’s records
  • Natural threats such as floods, earth quakes, tornadoes.
  • Virus attacks on mobile devices and medical equipment

To gain patients’ trust and to comply with HIPAA and Meaningful Use requirements, every Practice/Hospital should conduct SRA before going for an attestation and during the reporting period. Here is the 10 step plan to meet privacy and security portions of meaningful use from HealthIT

  • Confirm you are a covered entity
  • Provide Leadership
  • Document your Process, Findings and Actions
  • Conduct Security Risk Analysis
  • Develop an Action Plan
  • Manage and Mitigate risks
  • Prevent with Education and Training
  • Communicate with Patients
  • Update Business Associate Agreements
  • Attest for Security Risk Analysis MU objective

For more detailed information on 10 step plan, refer to link

Providers can use free tools available at or can buy commercial tool with expert’s advice. Also, out sourcing to the professional expert will yield the quicker results.

SRA will help the provider to evaluate his EHR and his practice settings for Securing the Patient Data and fixing/mitigating the Security and Privacy threats, if any.

A wonderful guide on privacy and security from HealthIT – Click here to view the same.

Healthcare IT Enterprise IT